Analysis
-
max time kernel
111s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 02:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe
-
Size
94KB
-
MD5
f47f17d742a719e5c05d8f6c524b9840
-
SHA1
fd124883be69013cabe7a2c3c1b4110838228b24
-
SHA256
e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193a
-
SHA512
6ee044d1d177795dfc2600336e1b66a6d40d59acfdaeaf340a7c73a0d60113ada28554e52405adbdad0da4302c9d9faefe3285902335d2869acb3555b6d06c67
-
SSDEEP
1536:MSylxf+ugKR04pfI0OsZrY8J8K2LH+MQ262AjCsQ2PCZZrqOlNfVSLUKkJr4:9yf++0ugHstY8J8XH+MQH2qC7ZQOlzSZ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabegpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obngnphg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiepca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncjgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djddbkck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcjqkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgladc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooabjbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmggdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqfbbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmeemp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opdffmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjpdlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfohoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boboknnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akldhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcgqoech.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nikide32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemcookp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbchfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nieffgok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijokcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjjohbgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqapek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmjidneo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnqolikm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdemegf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgcflnfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbojk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkpnbdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dejqenmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndekok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glkinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjllqke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjndha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phdden32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkqnghfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnlid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohleappp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mibgho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcjpcmjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cboljemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmhgjahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcfiqgfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopbeopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejleamon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faefim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okbgkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgjce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodkkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgnmjokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlppgihj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehechn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fajpdmgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihopjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnqolikm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjapfamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpnhoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjjebed.exe -
Executes dropped EXE 64 IoCs
pid Process 344 Epkgkfmd.exe 2688 Eickdlcd.exe 2800 Efglmpbn.exe 2816 Ekcdegqe.exe 2620 Fijadk32.exe 2044 Faefim32.exe 2084 Fnifbaja.exe 2632 Fajpdmgb.exe 2524 Fdhlphff.exe 2684 Fmqpinlf.exe 2692 Gaoiol32.exe 1264 Gmejdm32.exe 3008 Gfnnmboa.exe 2080 Goicaell.exe 2436 Ghagjj32.exe 2476 Ghcdpjqj.exe 1932 Hdjedk32.exe 1332 Hopibdfd.exe 1676 Hobfgcdb.exe 844 Hkifld32.exe 3032 Hpfoekhm.exe 824 Hincna32.exe 2012 Hcghffen.exe 2904 Iegaha32.exe 1528 Ianambhc.exe 2908 Iodolf32.exe 2888 Idagdm32.exe 2988 Ibehna32.exe 2588 Ihopjl32.exe 2488 Jgdmkhnp.exe 2104 Jqonjmbn.exe 560 Jjgbbc32.exe 1744 Jodkkj32.exe 948 Jjjohbgl.exe 2492 Jkklpk32.exe 1956 Kfqpmc32.exe 1180 Kkmhej32.exe 1496 Kiaiooja.exe 1612 Knnagehi.exe 2404 Kicednho.exe 1016 Knqnmeff.exe 1844 Kejfio32.exe 2368 Kjgoaflj.exe 2292 Kemcookp.exe 3040 Kfnpgg32.exe 876 Lpfdpmho.exe 2188 Ljlhme32.exe 2752 Lafpipoa.exe 1576 Lfbibfmi.exe 1736 Ldgikklb.exe 2872 Mlidplcf.exe 2304 Mknaahhn.exe 2740 Mkqnghfk.exe 2668 Mdibpn32.exe 2944 Mggoli32.exe 2848 Ngikaijm.exe 2844 Noepfkgh.exe 2560 Nliqoofa.exe 2240 Naeigf32.exe 2252 Nlkmeo32.exe 2384 Nahemf32.exe 820 Nhbnjpic.exe 3012 Nnofbg32.exe 2224 Okbgkk32.exe -
Loads dropped DLL 64 IoCs
pid Process 1616 e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe 1616 e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe 344 Epkgkfmd.exe 344 Epkgkfmd.exe 2688 Eickdlcd.exe 2688 Eickdlcd.exe 2800 Efglmpbn.exe 2800 Efglmpbn.exe 2816 Ekcdegqe.exe 2816 Ekcdegqe.exe 2620 Fijadk32.exe 2620 Fijadk32.exe 2044 Faefim32.exe 2044 Faefim32.exe 2084 Fnifbaja.exe 2084 Fnifbaja.exe 2632 Fajpdmgb.exe 2632 Fajpdmgb.exe 2524 Fdhlphff.exe 2524 Fdhlphff.exe 2684 Fmqpinlf.exe 2684 Fmqpinlf.exe 2692 Gaoiol32.exe 2692 Gaoiol32.exe 1264 Gmejdm32.exe 1264 Gmejdm32.exe 3008 Gfnnmboa.exe 3008 Gfnnmboa.exe 2080 Goicaell.exe 2080 Goicaell.exe 2436 Ghagjj32.exe 2436 Ghagjj32.exe 2476 Ghcdpjqj.exe 2476 Ghcdpjqj.exe 1932 Hdjedk32.exe 1932 Hdjedk32.exe 1332 Hopibdfd.exe 1332 Hopibdfd.exe 1676 Hobfgcdb.exe 1676 Hobfgcdb.exe 844 Hkifld32.exe 844 Hkifld32.exe 3032 Hpfoekhm.exe 3032 Hpfoekhm.exe 824 Hincna32.exe 824 Hincna32.exe 2012 Hcghffen.exe 2012 Hcghffen.exe 2904 Iegaha32.exe 2904 Iegaha32.exe 1528 Ianambhc.exe 1528 Ianambhc.exe 2908 Iodolf32.exe 2908 Iodolf32.exe 2888 Idagdm32.exe 2888 Idagdm32.exe 2988 Ibehna32.exe 2988 Ibehna32.exe 2588 Ihopjl32.exe 2588 Ihopjl32.exe 2488 Jgdmkhnp.exe 2488 Jgdmkhnp.exe 2104 Jqonjmbn.exe 2104 Jqonjmbn.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ikaglgei.exe Ialbon32.exe File opened for modification C:\Windows\SysWOW64\Aobblkkk.exe Aaobcg32.exe File opened for modification C:\Windows\SysWOW64\Dehdpnok.exe Dlppgihj.exe File created C:\Windows\SysWOW64\Pldjnqlb.dll Fogkhf32.exe File opened for modification C:\Windows\SysWOW64\Cflanc32.exe Cihqdoaa.exe File created C:\Windows\SysWOW64\Qoekqp32.dll Ipnigl32.exe File created C:\Windows\SysWOW64\Ijmqbl32.dll Faefim32.exe File opened for modification C:\Windows\SysWOW64\Mknaahhn.exe Mlidplcf.exe File opened for modification C:\Windows\SysWOW64\Pfabbmeh.exe Ohleappp.exe File created C:\Windows\SysWOW64\Phghedga.exe Pidhjg32.exe File opened for modification C:\Windows\SysWOW64\Mcpmqj32.exe Lpmgioed.exe File created C:\Windows\SysWOW64\Ggniamja.dll Ndekok32.exe File opened for modification C:\Windows\SysWOW64\Ijokcl32.exe Hnhjok32.exe File created C:\Windows\SysWOW64\Fpqjeiji.exe Edjjph32.exe File created C:\Windows\SysWOW64\Ipckannc.dll Hinlck32.exe File created C:\Windows\SysWOW64\Hglobj32.exe Hembfo32.exe File opened for modification C:\Windows\SysWOW64\Jpnffoci.exe Jhbaam32.exe File opened for modification C:\Windows\SysWOW64\Epkgkfmd.exe e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe File opened for modification C:\Windows\SysWOW64\Kfknpj32.exe Kjdmjiae.exe File opened for modification C:\Windows\SysWOW64\Palgek32.exe Pieodn32.exe File opened for modification C:\Windows\SysWOW64\Nihedodm.exe Nbnmhe32.exe File opened for modification C:\Windows\SysWOW64\Bmiqlpge.exe Bfohoe32.exe File created C:\Windows\SysWOW64\Mmgoqg32.exe Mocogc32.exe File created C:\Windows\SysWOW64\Cjobnf32.dll Jjldbiig.exe File created C:\Windows\SysWOW64\Cidddpbi.dll Bchmolkm.exe File opened for modification C:\Windows\SysWOW64\Kgddin32.exe Kkmddmop.exe File created C:\Windows\SysWOW64\Fkkmgk32.dll Hacabgig.exe File opened for modification C:\Windows\SysWOW64\Dmhfpmee.exe Diljpn32.exe File created C:\Windows\SysWOW64\Cmnlphjd.exe Cfddcn32.exe File created C:\Windows\SysWOW64\Edjjph32.exe Empacnmh.exe File created C:\Windows\SysWOW64\Jdjgcbci.dll Jhfgjk32.exe File created C:\Windows\SysWOW64\Ldekqe32.dll Ldfgdn32.exe File created C:\Windows\SysWOW64\Faefim32.exe Fijadk32.exe File created C:\Windows\SysWOW64\Jpmgid32.dll Nipgab32.exe File opened for modification C:\Windows\SysWOW64\Ibaago32.exe Ifjqbnnl.exe File created C:\Windows\SysWOW64\Niebma32.dll Oichhc32.exe File created C:\Windows\SysWOW64\Qhoegi32.dll Ahkgeq32.exe File created C:\Windows\SysWOW64\Igmalekk.dll Cffqhmqd.exe File opened for modification C:\Windows\SysWOW64\Eedjfchi.exe Enmbeehg.exe File created C:\Windows\SysWOW64\Pgfbhb32.exe Ppmjkhma.exe File created C:\Windows\SysWOW64\Mllcodig.exe Mnhbep32.exe File created C:\Windows\SysWOW64\Neknnm32.dll Fndhed32.exe File created C:\Windows\SysWOW64\Ppmjkhma.exe Pgdfbb32.exe File created C:\Windows\SysWOW64\Fobamgfd.exe Fejmda32.exe File created C:\Windows\SysWOW64\Cfgeap32.dll Ieokjbkp.exe File created C:\Windows\SysWOW64\Ooljkbfj.dll Dbmnla32.exe File created C:\Windows\SysWOW64\Fgaopcqk.dll Nhbnjpic.exe File opened for modification C:\Windows\SysWOW64\Gpiadq32.exe Gfqmkk32.exe File created C:\Windows\SysWOW64\Dpcqmbbm.dll Nkddkk32.exe File opened for modification C:\Windows\SysWOW64\Aiaqie32.exe Aollklac.exe File created C:\Windows\SysWOW64\Ifcdnajj.dll Aobblkkk.exe File opened for modification C:\Windows\SysWOW64\Hdneohbk.exe Hgjdecca.exe File created C:\Windows\SysWOW64\Hpgcfmge.exe Hmhgjahb.exe File created C:\Windows\SysWOW64\Hbpomb32.exe Hqocej32.exe File created C:\Windows\SysWOW64\Ihgajl32.dll Hqmmja32.exe File created C:\Windows\SysWOW64\Ejleamon.exe Eadpig32.exe File created C:\Windows\SysWOW64\Cfhfld32.dll Lpfdpmho.exe File opened for modification C:\Windows\SysWOW64\Hmbdlc32.exe Hcjpcmjg.exe File created C:\Windows\SysWOW64\Kccehneq.dll Ehkgnpbe.exe File created C:\Windows\SysWOW64\Ejambd32.dll Mlgjce32.exe File created C:\Windows\SysWOW64\Nqghdh32.dll Eomoohoi.exe File opened for modification C:\Windows\SysWOW64\Dcbpfp32.exe Dfoplkel.exe File opened for modification C:\Windows\SysWOW64\Mdcbjhme.exe Minnmomo.exe File opened for modification C:\Windows\SysWOW64\Pgmfph32.exe Pmhbbp32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4396 4028 WerFault.exe 818 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcjjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobcekld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmjln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpemkkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjcnoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaiqnmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flldei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijacgnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epflbbpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnlphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdenoif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdmkhnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeljmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqdoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnffoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhkiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okjoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnboonmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjnjhcqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nngjbfpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obngnphg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahfkah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjjebed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aooaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cokqfhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpflblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkifld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aihmhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddjcbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjqbnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhbep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihinkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljafifbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feblho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahkhgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjldbiig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdibpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadkmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfljpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedgnjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gikahkng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oicfpkci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmmhmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmngef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Femlbjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genkhidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffblb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koifob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idhplaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfodb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaoiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijipbchn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnifbaja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlogojjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjmgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmjidneo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bamdcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmmmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmggdm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmcnmapk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfoplkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnfdpgo.dll" Gojfeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmhqf32.dll" Kiaiooja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngmbfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbhkdgbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfndjil.dll" Dejqenmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkfpefme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffajkmnj.dll" Bfohoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hembfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkfobbjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nliqoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccikghel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmbdlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnlhibff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpqjeiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoqjhiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akldhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqapek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohleappp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqhcda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nibcgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hacabgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiablido.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhpflblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcfiqgfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihmhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgdcjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajojpafh.dll" Peandcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbaakoab.dll" Bjcimhab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkeppngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdcbjhme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmcjldbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biaeccca.dll" Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnkgnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goicaell.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfqpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcmafnhi.dll" Nhlndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maakib32.dll" Hofmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okbgkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkemhafb.dll" Bpkedbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofdqpj32.dll" Lhjmdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gafelnkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gapbbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdpcgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikafpbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkhfnea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjjgkfq.dll" Kkmddmop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knqnmeff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgifhbn.dll" Niilofhh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmngef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiaiooja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miciqgqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Campbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhiiaqdl.dll" Boppmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohjhlqbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnagehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjgoaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgpfdoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiebej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phifln32.dll" Fhpoalho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghlhpiia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiodcecl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1616 wrote to memory of 344 1616 e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe 29 PID 1616 wrote to memory of 344 1616 e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe 29 PID 1616 wrote to memory of 344 1616 e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe 29 PID 1616 wrote to memory of 344 1616 e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe 29 PID 344 wrote to memory of 2688 344 Epkgkfmd.exe 30 PID 344 wrote to memory of 2688 344 Epkgkfmd.exe 30 PID 344 wrote to memory of 2688 344 Epkgkfmd.exe 30 PID 344 wrote to memory of 2688 344 Epkgkfmd.exe 30 PID 2688 wrote to memory of 2800 2688 Eickdlcd.exe 31 PID 2688 wrote to memory of 2800 2688 Eickdlcd.exe 31 PID 2688 wrote to memory of 2800 2688 Eickdlcd.exe 31 PID 2688 wrote to memory of 2800 2688 Eickdlcd.exe 31 PID 2800 wrote to memory of 2816 2800 Efglmpbn.exe 32 PID 2800 wrote to memory of 2816 2800 Efglmpbn.exe 32 PID 2800 wrote to memory of 2816 2800 Efglmpbn.exe 32 PID 2800 wrote to memory of 2816 2800 Efglmpbn.exe 32 PID 2816 wrote to memory of 2620 2816 Ekcdegqe.exe 33 PID 2816 wrote to memory of 2620 2816 Ekcdegqe.exe 33 PID 2816 wrote to memory of 2620 2816 Ekcdegqe.exe 33 PID 2816 wrote to memory of 2620 2816 Ekcdegqe.exe 33 PID 2620 wrote to memory of 2044 2620 Fijadk32.exe 34 PID 2620 wrote to memory of 2044 2620 Fijadk32.exe 34 PID 2620 wrote to memory of 2044 2620 Fijadk32.exe 34 PID 2620 wrote to memory of 2044 2620 Fijadk32.exe 34 PID 2044 wrote to memory of 2084 2044 Faefim32.exe 35 PID 2044 wrote to memory of 2084 2044 Faefim32.exe 35 PID 2044 wrote to memory of 2084 2044 Faefim32.exe 35 PID 2044 wrote to memory of 2084 2044 Faefim32.exe 35 PID 2084 wrote to memory of 2632 2084 Fnifbaja.exe 36 PID 2084 wrote to memory of 2632 2084 Fnifbaja.exe 36 PID 2084 wrote to memory of 2632 2084 Fnifbaja.exe 36 PID 2084 wrote to memory of 2632 2084 Fnifbaja.exe 36 PID 2632 wrote to memory of 2524 2632 Fajpdmgb.exe 37 PID 2632 wrote to memory of 2524 2632 Fajpdmgb.exe 37 PID 2632 wrote to memory of 2524 2632 Fajpdmgb.exe 37 PID 2632 wrote to memory of 2524 2632 Fajpdmgb.exe 37 PID 2524 wrote to memory of 2684 2524 Fdhlphff.exe 38 PID 2524 wrote to memory of 2684 2524 Fdhlphff.exe 38 PID 2524 wrote to memory of 2684 2524 Fdhlphff.exe 38 PID 2524 wrote to memory of 2684 2524 Fdhlphff.exe 38 PID 2684 wrote to memory of 2692 2684 Fmqpinlf.exe 39 PID 2684 wrote to memory of 2692 2684 Fmqpinlf.exe 39 PID 2684 wrote to memory of 2692 2684 Fmqpinlf.exe 39 PID 2684 wrote to memory of 2692 2684 Fmqpinlf.exe 39 PID 2692 wrote to memory of 1264 2692 Gaoiol32.exe 40 PID 2692 wrote to memory of 1264 2692 Gaoiol32.exe 40 PID 2692 wrote to memory of 1264 2692 Gaoiol32.exe 40 PID 2692 wrote to memory of 1264 2692 Gaoiol32.exe 40 PID 1264 wrote to memory of 3008 1264 Gmejdm32.exe 41 PID 1264 wrote to memory of 3008 1264 Gmejdm32.exe 41 PID 1264 wrote to memory of 3008 1264 Gmejdm32.exe 41 PID 1264 wrote to memory of 3008 1264 Gmejdm32.exe 41 PID 3008 wrote to memory of 2080 3008 Gfnnmboa.exe 42 PID 3008 wrote to memory of 2080 3008 Gfnnmboa.exe 42 PID 3008 wrote to memory of 2080 3008 Gfnnmboa.exe 42 PID 3008 wrote to memory of 2080 3008 Gfnnmboa.exe 42 PID 2080 wrote to memory of 2436 2080 Goicaell.exe 43 PID 2080 wrote to memory of 2436 2080 Goicaell.exe 43 PID 2080 wrote to memory of 2436 2080 Goicaell.exe 43 PID 2080 wrote to memory of 2436 2080 Goicaell.exe 43 PID 2436 wrote to memory of 2476 2436 Ghagjj32.exe 44 PID 2436 wrote to memory of 2476 2436 Ghagjj32.exe 44 PID 2436 wrote to memory of 2476 2436 Ghagjj32.exe 44 PID 2436 wrote to memory of 2476 2436 Ghagjj32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe"C:\Users\Admin\AppData\Local\Temp\e85c44564ddda05b45ca77ba71085e779af0887df35ee73229a7ff82d24b193aN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Epkgkfmd.exeC:\Windows\system32\Epkgkfmd.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Eickdlcd.exeC:\Windows\system32\Eickdlcd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Efglmpbn.exeC:\Windows\system32\Efglmpbn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Faefim32.exeC:\Windows\system32\Faefim32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Fnifbaja.exeC:\Windows\system32\Fnifbaja.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Fajpdmgb.exeC:\Windows\system32\Fajpdmgb.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Fmqpinlf.exeC:\Windows\system32\Fmqpinlf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Gmejdm32.exeC:\Windows\system32\Gmejdm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Gfnnmboa.exeC:\Windows\system32\Gfnnmboa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Goicaell.exeC:\Windows\system32\Goicaell.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Ghagjj32.exeC:\Windows\system32\Ghagjj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Ghcdpjqj.exeC:\Windows\system32\Ghcdpjqj.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Hdjedk32.exeC:\Windows\system32\Hdjedk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1332 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Hkifld32.exeC:\Windows\system32\Hkifld32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3032 -
C:\Windows\SysWOW64\Hincna32.exeC:\Windows\system32\Hincna32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Iegaha32.exeC:\Windows\system32\Iegaha32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Iodolf32.exeC:\Windows\system32\Iodolf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Idagdm32.exeC:\Windows\system32\Idagdm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Ihopjl32.exeC:\Windows\system32\Ihopjl32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Jjgbbc32.exeC:\Windows\system32\Jjgbbc32.exe33⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe36⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Kfqpmc32.exeC:\Windows\system32\Kfqpmc32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Kkmhej32.exeC:\Windows\system32\Kkmhej32.exe38⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe41⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe43⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Kfnpgg32.exeC:\Windows\system32\Kfnpgg32.exe46⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe48⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe49⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Lfbibfmi.exeC:\Windows\system32\Lfbibfmi.exe50⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe51⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2872 -
C:\Windows\SysWOW64\Mknaahhn.exeC:\Windows\system32\Mknaahhn.exe53⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Mdibpn32.exeC:\Windows\system32\Mdibpn32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Ngikaijm.exeC:\Windows\system32\Ngikaijm.exe57⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe58⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe60⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Nlkmeo32.exeC:\Windows\system32\Nlkmeo32.exe61⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe62⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:820 -
C:\Windows\SysWOW64\Nnofbg32.exeC:\Windows\system32\Nnofbg32.exe64⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Ohfgeo32.exeC:\Windows\system32\Ohfgeo32.exe66⤵PID:912
-
C:\Windows\SysWOW64\Ocphembl.exeC:\Windows\system32\Ocphembl.exe67⤵PID:2388
-
C:\Windows\SysWOW64\Oqdioaqf.exeC:\Windows\system32\Oqdioaqf.exe68⤵PID:3060
-
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe69⤵PID:2520
-
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe70⤵PID:2148
-
C:\Windows\SysWOW64\Ojojmfed.exeC:\Windows\system32\Ojojmfed.exe71⤵PID:2120
-
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe72⤵PID:2672
-
C:\Windows\SysWOW64\Pcikllja.exeC:\Windows\system32\Pcikllja.exe73⤵PID:1740
-
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe74⤵
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Pgkqeo32.exeC:\Windows\system32\Pgkqeo32.exe75⤵PID:2852
-
C:\Windows\SysWOW64\Pbaebh32.exeC:\Windows\system32\Pbaebh32.exe76⤵PID:2268
-
C:\Windows\SysWOW64\Pgnmjokn.exeC:\Windows\system32\Pgnmjokn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2860 -
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe78⤵PID:1948
-
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe79⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Qnjbmh32.exeC:\Windows\system32\Qnjbmh32.exe80⤵PID:2168
-
C:\Windows\SysWOW64\Qfegakmc.exeC:\Windows\system32\Qfegakmc.exe81⤵PID:1728
-
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe82⤵PID:1928
-
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe83⤵PID:2024
-
C:\Windows\SysWOW64\Aihmhe32.exeC:\Windows\system32\Aihmhe32.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:600 -
C:\Windows\SysWOW64\Aeommfnf.exeC:\Windows\system32\Aeommfnf.exe85⤵PID:3036
-
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe86⤵PID:2040
-
C:\Windows\SysWOW64\Allbpqcp.exeC:\Windows\system32\Allbpqcp.exe87⤵PID:2680
-
C:\Windows\SysWOW64\Aahkhgag.exeC:\Windows\system32\Aahkhgag.exe88⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Alnoepam.exeC:\Windows\system32\Alnoepam.exe89⤵PID:2880
-
C:\Windows\SysWOW64\Bdiciboh.exeC:\Windows\system32\Bdiciboh.exe90⤵PID:2528
-
C:\Windows\SysWOW64\Bamdcf32.exeC:\Windows\system32\Bamdcf32.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Bhglpqeo.exeC:\Windows\system32\Bhglpqeo.exe92⤵PID:2840
-
C:\Windows\SysWOW64\Bdnmda32.exeC:\Windows\system32\Bdnmda32.exe93⤵PID:1312
-
C:\Windows\SysWOW64\Bikemiik.exeC:\Windows\system32\Bikemiik.exe94⤵PID:656
-
C:\Windows\SysWOW64\Bfoffmhd.exeC:\Windows\system32\Bfoffmhd.exe95⤵PID:2916
-
C:\Windows\SysWOW64\Blkoocfl.exeC:\Windows\system32\Blkoocfl.exe96⤵PID:1824
-
C:\Windows\SysWOW64\Beccgi32.exeC:\Windows\system32\Beccgi32.exe97⤵PID:2288
-
C:\Windows\SysWOW64\Colgpo32.exeC:\Windows\system32\Colgpo32.exe98⤵PID:752
-
C:\Windows\SysWOW64\Clphjc32.exeC:\Windows\system32\Clphjc32.exe99⤵PID:1540
-
C:\Windows\SysWOW64\Campbj32.exeC:\Windows\system32\Campbj32.exe100⤵
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Clbdobpc.exeC:\Windows\system32\Clbdobpc.exe101⤵PID:1276
-
C:\Windows\SysWOW64\Cclmlm32.exeC:\Windows\system32\Cclmlm32.exe102⤵PID:1596
-
C:\Windows\SysWOW64\Caajmilh.exeC:\Windows\system32\Caajmilh.exe103⤵PID:2464
-
C:\Windows\SysWOW64\Chkbjc32.exeC:\Windows\system32\Chkbjc32.exe104⤵PID:900
-
C:\Windows\SysWOW64\Dhnoocab.exeC:\Windows\system32\Dhnoocab.exe105⤵PID:2444
-
C:\Windows\SysWOW64\Dafchi32.exeC:\Windows\system32\Dafchi32.exe106⤵PID:2116
-
C:\Windows\SysWOW64\Dkohanoc.exeC:\Windows\system32\Dkohanoc.exe107⤵PID:2936
-
C:\Windows\SysWOW64\Dpkpie32.exeC:\Windows\system32\Dpkpie32.exe108⤵PID:1564
-
C:\Windows\SysWOW64\Djddbkck.exeC:\Windows\system32\Djddbkck.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:968 -
C:\Windows\SysWOW64\Dghekobe.exeC:\Windows\system32\Dghekobe.exe110⤵PID:2068
-
C:\Windows\SysWOW64\Dhiacg32.exeC:\Windows\system32\Dhiacg32.exe111⤵PID:1980
-
C:\Windows\SysWOW64\Dppiddie.exeC:\Windows\system32\Dppiddie.exe112⤵PID:676
-
C:\Windows\SysWOW64\Djhnmj32.exeC:\Windows\system32\Djhnmj32.exe113⤵PID:1004
-
C:\Windows\SysWOW64\Ekjjebed.exeC:\Windows\system32\Ekjjebed.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Edbonh32.exeC:\Windows\system32\Edbonh32.exe115⤵PID:2204
-
C:\Windows\SysWOW64\Eogckqkk.exeC:\Windows\system32\Eogckqkk.exe116⤵PID:3048
-
C:\Windows\SysWOW64\Ehphdf32.exeC:\Windows\system32\Ehphdf32.exe117⤵PID:2972
-
C:\Windows\SysWOW64\Ebhlmlhl.exeC:\Windows\system32\Ebhlmlhl.exe118⤵PID:2220
-
C:\Windows\SysWOW64\Fmffhi32.exeC:\Windows\system32\Fmffhi32.exe119⤵PID:2744
-
C:\Windows\SysWOW64\Fjmdgmnl.exeC:\Windows\system32\Fjmdgmnl.exe120⤵PID:1516
-
C:\Windows\SysWOW64\Flcjjdpe.exeC:\Windows\system32\Flcjjdpe.exe121⤵
- System Location Discovery: System Language Discovery
PID:1544
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-